Embed Size (px)
Citation preview
A Formal Modeling Framework for DeployingSynchronous Designs on Distributed Architectures?
Luca P. Carloni and Alberto L. Sangiovanni-Vincentelli
EECS Department, University of California at Berkeley, Berkeley, CA 94720http://www-cad.eecs.berkeley.edu/HomePages/{lcarloni,alberto}
Abstract. Synchronous specifications are appealing in the design of large scalehardware and software systems because of their properties that facilitate verifi-cationandsynthesis. When the target architecture is adistributed system, imple-menting a synchronous specification as a synchronous design may be inefficientin terms of both size (memory for software implementations or area for hard-ware implementations) and performance. A more elaborate implementation stylewhere the basic synchronous paradigm is adapted to distributed architectures byintroducing elements of asynchrony is, hence, highly desirable. This approach hasto conjugate the desire of maintaining the theoretical properties of synchronousdesigns with the efficiency of implementations where the constraints imposed bysynchrony are relaxed. Two interesting avenues have been recently pursued toachieve this goal:
– Latency-insensitive protocols [9,10] motivated by hardware implementations,where long paths between the design components may introduce delays thatforce the overall clock of the system to run too slow in order to maintainsynchronous behavior. This approach introduces additional elements in thedesign to allow the implementation to maintain the throughput that couldhave been achieved with communication delays of the same order of theclock of the subsystems at the price of additional latency.
– Desynchronization [3,4,20] motivated by software implementations, whereprocesses that compose the large scale system are locally implemented syn-chronously while their communication is implemented in an asynchronousstyle. This approach allows also to run each of the process at its own “speed”.
By using the Lee and Sangiovanni-Vincentelli (LSV) tagged-signal model [19]as a common framework, we offer a comparative exposition of these approachesand we show their precise relationship. In doing so, we also provide some in-sight on the role of signal absence in synchronous, asynchronous, and globally-asynchronous locally-synchronous (GALS) design styles.
1 Introduction
The synchronous design paradigm is pervasive in electronic system engineer-ing. It is used in discrete-time dynamical control systems, it is the basis of digi-tal integrated circuit design, and it is the foundation of programming languages? This research was supported in part by the NSF under the project ITR (CCR-0225610), the Gi-
gascale System Research Center (GSRC), and by the European Commission under the projectsCOLUMBUS, IST-2002-38314, and ARTIST, IST-2001-34820.
and design environments used for software development for real-time embeddedsystems. In this paradigm, a complex system is represented as a collection of in-teracting modules whose state is updated collectively in onezero-timestep. Asynchronous specification is naturally simpler than specifying the same systemas the interaction of components whose state is updated following an intricateset of time-based interdependency relations. However, for an increasing num-ber of important applications, e.g., transportation systems, sensor networks andindustrial control, the implementation architecture is distributed. In addition,the advent of deep-submicron (DSM) technologies for IC design, where hun-dreds of millions of transistors can be integrated on a single die, is making thesynchronous paradigm very expensive to implement since the chip becomes adistributed system with interconnect delays that are up to an order of magni-tude larger that the switching delays of the gates and that arevery difficult toestimate [12].
In this scenario, we believe that new methodologies that combine specifica-tion simplicity with implementation constraints will take center place in the de-sign stage. We are indeed confident that two main research themes, heterogene-ity and desynchronization, will be very important to develop these methodolo-gies. Heterogeneity in system design comes in at least two flavors: (1) a systemnaturally accommodates components of heterogeneous nature (analog/digital,synchronous/asynchronous, hardware/software), and (2) the same system is spec-ified, optimized, and verified at various levels of abstraction in the path fromspecification to implementation using different models of computation. Thedesynchronization problem can be informally described as the task of deployinga synchronous design on a distributed architecture in a correct-by-construction(and mostly automatic) fashion. The relevance of this problem follows naturallyfrom the desire of leveraging the well-known tools and practices of synchronousdesign for the specification and the optimization of a system, while targeting ef-ficient final implementations that are distributed in nature.
We present a modeling framework that addresses both facets of hetero-geneity while focusing on the synchronization aspects of system design. Ourframework encompasses different design styles from the “strong assumptions”of synchronous design and asynchronous design, to more “relaxed and realistic”models for distributed design, like GALS. We argue for the importance of thenotions of absence to distinguish (and relate) these systems, and we illustratetheir interplay in modeling the desynchronization problem. Finally, we revisitprevious work on distributed embedded code generation (desynchronization)and latency-insensitive design and we elaborate on possible options to combinetheir results.
The desynchronization problem was formally defined in [2,3,20] and re-cently has been the object of investigation of several projects [4,13,15,16,21,22].Latency-insensitive protocols were proposed in [9] and, then, applied to syn-chronous hardware design in [8]. A complete presentation of the theory oflatency-insensitive design is given in [10].
2 The Tagged-Signal Model
In this section, we summarize the main concepts of the Lee and Sangiovanni-Vincentelli’s (LSV) tagged-signal model [19], the basis of our formal frame-work.
Given a set ofvaluesD and a set oftagsT , aneventis a member ofD×T . Asignals is a set of events. The set of allM -tuples of signals is denotedSM anda processP is a subset ofSM . A particularM -tupleb = (s1, . . . , sM ) ∈ SMsatisfies the process ifb ∈ P . An M -tuple b that satisfies a process is called abehaviorof the process. Thus, a process is a set of possible behaviors. Ataggedsystemis a composition of processes{P1, . . . , PI}, that is a new processP thatis defined as the intersection of their behaviorsP =
⋂Ii=1 Pi. To distinguish
signals, we assume an underlying setV of variables with domainD. We de-note a tagged system as a tripleP = (V, T ,B), whereV ⊂ V is a finite setof variables,T is a tag set, andB a set of behaviors with domainV . As weanticipated,compositionof two systemsP1 andP2 is given by the intersectionof their behaviors:
P1 ∩ P2 =def (V1 ∪ V2, T1 ∪ T2,B1 ∩ B2), where
B1 ∩ B2 =def
{b∣∣ b|Vi ∈ Bi, i = 1, 2
},
andb|W denotes the restriction ofb to a subsetW of variables. In the sequel, wedenote withT (s) the tag set of a signals (and, similarly, for a behavior and aprocess).
In some models of computation the setD includes a special value⊥, whichindicates the absence of a value. For any tagt ∈ T , we call(t,⊥) theabsent-value event, or simply,⊥ event. We say that a signals is presentat a given tagtwhen(∃e = (t, d) ∈ s | d 6=⊥); otherwise, we say thats is absentat t (or, thats has anevent absenceat t).
Example 1.The following diagram represents the unique behavior of a systemthat has two signals with namesu, v. At any given tag, signalu is present withunit value if and only if signalv is present and carries a positive integer value.
tag : t0 t1 t2 t3 t4 t5 t6 t7 . . .P : u : 4 −2 5 ⊥ −1 3 4 2 . . .
v : 1 ⊥ 1 ⊥ ⊥ 1 1 1 . . .
Assumption 1 For any tagt ∈ T , each signals in the system has at most oneevent, i.e.:
∀b ∈ B,∀s ∈ b, ¬[∃e1 ∈ s,∃e2 ∈ s | tag(e1) = tag(e2)
]Ordering among Signal Tags. Assumption 1 logically implies a total order<among the tags ofa signal. Then, the total order over the tag setT (s) of signals induces a total order among its events. Therefore, a signal can be seen as asequence of events. In the sequel, we use the notationti to denote thei-th tagof a signal and, naturally, we rely on the fact thatti < tj ⇔ i < j. Further, wecan use tags to identify an event of a signal (somewhat like the indexes of anarray) as well as its values. Given a signals and a tagt, we writee = eve(s, t)to denote the event ofs whose tag ist and we writed = val(s, t) to denote thevalue ofeve(s, t).
The set of all sequences of elements inD ∪ {⊥} is denoted byΣ. Functionσ : S1 × T 2 → Σ takes a signals = {(d0, t0), (d1, t1), ..} and an orderedtag pair(ti, tj), i ≤ j, and returns a sequenceσ[ti,tj ] ∈ Σ s.t. σ[ti,tj ](s) =di, di+1, . . . , dj . The sequence of values of a signal is denotedσ(s). The emptysequence is denoted asε. To manipulate sequences of values we define the fil-tering operatorF⊥ : Σ → D that returns a sequenceσ′ = F⊥[σ] s.t.
σ′i ={σ[ti,ti](s) if σ[ti,ti](s) ∈ Dε if σ[ti,ti](s) =⊥
Ordering among Process Tags.In general, the tag setT of a process is notordered, let alone totally ordered. When tags are used to express causality rela-tions among signals, it is common to assume thatT is partially ordered. In thiscase,≤ is used to denote the partial order onT by writing t < t′ whent ≤ t′ andt 6= t′. Finally, a tag system istimedif T is a totally ordered set, i.e. for each pairof distinct tagst, t′ eithert < t′ or t′ < t. Often tags are used as a mechanismto express time. This may be useful, for instance, to move across the variousrepresentations of a design at different levels of abstraction from initial specifi-cation, wherelogical timeis central, to final implementation, where each eventoccurs at a given instant of thephysical, or real, time. However, tags are essen-tially a tool to express constraints, like coordination constraints, among eventsof different signals (and, transitively, among signals and among processes).
3 Models of Computation
We use models of computation to specify the mathematical behavior of the sys-tems under design [14]. The models of computation addressed in this paper fall
tag : t0 t1 t2 t3 t4 t5 t6 t7 . . .w : 1 0 1 0 1 0 1 0 . . .
P : y : 0 2 2 6 6 10 10 14 . . .z : 0 0 4 0 8 4 12 8 . . .
w : 1 0 1 0 1 0 1 0 . . .Q : x : 1 3 5 7 9 11 13 15 . . .
y : 0 2 2 6 6 10 10 14 . . .
w : 1 0 1 0 1 0 1 0 . . .R : x : 1 3 5 7 9 11 13 15 . . .
z : 0 0 4 0 8 4 12 8 . . .
P
Q R w
y z
x
Fig. 1.The synchronous system of Example 2 and its behavior.
under the category of synchronous, asynchronous, andin betweento indicatemodels that are neither.
3.1 Synchronous Systems
Two eventse1, e2 aresynchronous(e1≈e2) when they have the same tag, i.e.e1≈e2 ⇔ tag(e1) = tag(e2). Two signalss1, s2 are synchronous (s1≈s2) whenfor each event ofs1 there is a synchronous event ins2 and vice versa, i.e.:
s1≈s2 ⇔(∀ei ∈ s1,∃ej ∈ s2, | ei≈ej
)∧(∀ek ∈ s2,∃el ∈ s1, | ek≈el
)Therefore, synchronous signals share the tag set. The definitions of two syn-chronous behaviorsb1, b2 and two synchronous processesP1 = (V1, T1,B1),P2 = (V2, T2,B2) naturally follow:
b1≈b2 ⇔ ∀si ∈ b1,∀sj ∈ b2, si 6= sj , (si≈sj)P1≈P2 ⇔ ∀bi ∈ B1,∀bj ∈ B2, (bi≈bj)
A stand-alone behaviorb is synchronous whenb≈b. A stand-alone processPis synchronous whenP≈P . Observe that in a behavior of a synchronous sys-tem, every signal is synchronous with every other signal and, equivalently, foreach tag a signal hasexactly onecorresponding event:∀b ∈ B,∀s ∈ b,∀t ∈T , (∃!e ∈ s | tag(e) = t).
Example 2.The diagram of Figure 1 represents the unique behavior of a syn-chronous system that is the result of the composition of three processesP,Q,andR. Signalw, a binary, is shared by all processes, while the remaining sig-nals, integersx, y, andz, are shared in pairwise manner. In Figure 1, the signals
are purposely represented by simple lines and not arrows. In fact, by observ-ing only the event sequences we can not say which input/output relations existamong the system processes. However, in the sequel, we focus our attentionon functional systems [19] and we use this example assuming that signalw isproduced by processP , signalsx, y by processQ, and signalz by processR.
3.2 Synchronous Languages.
Synchronous programming languages like ESTEREL, LUSTRE, and SIGNAL
represent powerful tools for the specification of complex real-time embeddedsystems because they allow to combine the simplicity of the synchronous as-sumption with the power of concurrency in functional specification [6,7,18,17].They are synchronous systems with particular properties and for this reason,they are often considered a model of computation in addition to the generic syn-chronous model. Thesynchronous programming modelcan be expressed by thefollowing “pseudo-mathematical” statements [3,5]:
P ≡ Rω
P1||P2 ≡ (R1 ∧R2)ω
whereP, P1, P2 denote synchronous programs,R,R1, R2 denote the sets of allthe possible reactions of the corresponding programs, and the superscriptω in-dicates non-terminating iterations. The first expression interprets the essence ofthe synchronous assumption: a synchronous programP evolves according toan infinite sequence of successive atomic reactions. At each reaction, the pro-gram variables may or may not present a value. The second expression definesthe parallel composition of two components as the conjunction of the reactionsfor each component. This implies that communication among components isperformed via instantaneous broadcast. To cast the synchronous programmingmodel into the LSV formalism, we naturally associate signals to variables anduse tags to index the program reactions. An important feature offered by thesynchronous programming model is the ability of taking decisions based onthe absence of a value for a variable at a given reaction, i.e.,in synchronoussystems absence can be sensed. This is perfectly in line with the definition ofthe absent-value event since processes react to events and hence can also reactto the particular absent-value event. The absent-value event plays an importantrole in synchronous models of computation. In fact, the essence of the model isthat all computation processes awake simultaneously when any of them posts anevent for communication. Some of the signals that connect the processes maybe not present. The synchronous model requires that these signals be read withthe absent-value event posted. If indeed the information on the presence of an
absent-value event does not cause a process to react to it, then reading this eventis an unnecessary complication. We shall see later that recognizing this situationand eliminating the associated steps are key in deriving a more effective deploy-ment that, while formally giving up the synchronous model, maintains behaviorequivalence with the original synchronous specifications.
The notion ofclock of a variableis introduced as aBoolean meta-variabletracking the absence/presence of a value for the corresponding variable1. Vari-ables that are always present simultaneously are said to have the same clock, sothat clocks can be seen as equivalence classes of simultaneously-present vari-ables. In the sequel, we focus our attention on SIGNAL , which is a declarativelanguage [6]. Besides parallel composition, SIGNAL ’s main operators are thefollowings:
– statementc := a op b, whereop denotes a generic logic or arithmeticoperator, defines not only that the values ofc are function of those ofa andb, but also that the three variables have the same clock;
– statementc := a$ k , wherek is a positive integer constant, specifies boththat c and a have the same clock and that at then-th reaction when thetwo signals are present, the value ofc is equal to the value held bya at the(n-k)-th reaction;
– statementc := a default b specifies that variablec is present at ev-ery reaction where eithera or b is present while taking the value ofb onlyif a is not present (oversampling);
– statementc := a when b specifies that variablec is present (taking thevalue ofa) only when botha is present and the Boolean condition expressedby variableb is true (undersampling).
While the first two statements aresingle-clock, the last two aremulti-clock. Ad-ditional operators are available to directly relate the variable clocks: for instance,statementc ∧= a constraints variablesc anda to have the same clock, with-out relating the values that they assume. The SIGNAL compiler usesclock cal-culusto statically analyze every program statement, identify the structure of theclock of each variable, and schedule the overall computation. The compiler re-jects the program when it detects that the collection of its statements as a wholecontains clock constraint violations.
Example 3.Figure 2 reports the code of a SIGNAL program that is structured asa main process with three sub-processesP,Q, andR. These processes commu-nicate via signalsw, x, y, z that are constrained to be synchronized (first state-ment of the main process). Hence, using SIGNAL jargon, these signals belong
1 Notice that despite its name the clock of a variable is not necessarily a periodic signal.
process MAIN (? boolean tag;! boolean w, x, y, z;) ( || x ∧= y ∧= z ∧= w ∧= tag| w := P(tag, y, z)| (x,y) := Q(tag, w)| z := R(tag, w, x)|);
process P (? boolean tag; integer y, z;) ( |! integer w;) (| i ∧= tag| i := (i $1 init (-1)) + 1| iW := true when (i < 1)| w := iW default (y$1 > z$1)|) where integer i, iW; end;
process Q (? boolean tag; integer w;! integer x, y;) ( || i ∧= tag| i := (i $1 init (-1)) + 1| iY := 0 when (i < 1)| y := iY default (
if w$1 then (x $1+1) else (x $1-1))| x := (x + 2) $1 init 1|) where integer i, iY; end;
process R (? boolean tag; integer w, x;! integer z;) ( || i ∧= tag| i := (i $1 init (-1)) +1| iZ := 0 when (i < 2)| z := iZ default (
if w$1 then x$2 -3 else x$2 +3)|) where integer i, iZ;end;
Fig. 2. SIGNAL program with a deterministic behavior as in Example 2.
to the sameclock equivalence class[6], which is also the class of signaltag.Signal tag is an external input whose values evolve as an infinite alternatingsequence of0s and1s. Under this assumption, a run of programMAIN returnsdeterministically a tuple of sequences of values for variablesw, x, y, z that co-incide with the behavior of the synchronous system of Example 2. By analyzingthe program we derive the functional relationships between its signals: for in-stance, we see thaty and z are input signals for processP , which producesoutput signalw. Also, we learn causality dependencies among signals like, forinstance, that every event of signalw, besides the first, depends on the events ofy andz occurred at the previous reaction. Similarly, while the first two events ofz carry values equal to0, each subsequent event depends on the event occurredonw at the previous reaction as well as on the event occurred onx two reac-tions earlier. Hence, events ofw depend on events ofz and vice versa. In fact,cyclic causality dependencies across signals of a synchronous program are quitecommon and may be problematic only in the presence of acombinational cycle,i.e. when two events with the same tag depend on each other. The discussion ofmethods to handle this issue goes beyond the scope of this paper (see [5]).
3.3 Asynchronous Systems
The definition of asynchrony as used in the literature is vague: some use theterm to indicate any systems that isnot synchronous, others are more restric-tive. According to [19], two eventse1, e2 areasynchronous(e1 ' e2) if theyhave different tags, i.e.e1'e2 ⇔ tag(e1) 6= tag(e2). Two signalss1, s2 are
asynchronous (s1's2) when:
s1's2 ⇔(∀ei ∈ s1 6 ∃ej ∈ s2 | ei≈ej
)Asynchronous signals have disjoint tag sets. The definitions of asynchronous be-haviorsb1, b2 and asynchronous processesP1 = (V1, T1,B1), P2 = (V2, T2,B2)follow:
b1'b2 ⇔ ∀si ∈ b1,∀sj ∈ b2, si'sjP1'P2 ⇔ ∀bi ∈ B1,∀bj ∈ B2, bi'bj
A stand-alone behaviorb is asynchronous whenb'b. A stand-alone processPis asynchronous whenP'P . In a behavior of an asynchronous system, everysignal is asynchronous with every other signal and, equivalently, for each tagthere is one and only one event across all signals:∀b = (s1, . . . , sM ) ∈ B,∀t ∈T , (∃!e ∈
⋃i si | tag(e) = t) .
Example 4.The following diagram represents the unique behavior of the asyn-chronous systemSa = Pa ∩Qa ∩Ra. ProcessesPa, Qa, andRa communicateby sharing signals (as it is the case for synchronous systems), but signals do notshare tags.
tag : t0 t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t13 t14 t15 t16 t17 t18 t19 . . .wa : 1 0 1 0 1 . . .
Pa : ya : 0 2 2 6 6 . . .za : 0 0 4 0 8 . . .
wa : 1 0 1 0 1 . . .Qa : xa : 1 3 5 7 9 . . .
ya : 0 2 2 6 6 . . .
wa : 1 0 1 0 1 . . .Ra : xa : 1 3 5 7 9 . . .
za : 0 0 4 0 8 . . .
3.4 Between Synchronous and Asynchronous: Globally-AsynchronousLocally-Synchronous Systems
Formally, the set of asynchronous systems isnot the complement of the set ofsynchronous systems. In fact, there is a set of systems that sitsin betweenthesetwo sets and whose elements are useful to model heterogeneous systems anddistributed architectures. An element of thisin-between setis a process witha behavior that has both at least a pair of synchronous events (hence, it is notasynchronous) and at least a tag for which a signal does not present a corre-sponding event while another does (hence, it is not synchronous). A relevant
subset of this set is the class of Globally-Asynchronous Locally-Synchronous(GALS) Systems.
GALS systems are of particular interest because they represent a compro-mise that allows designers to leverage the traditional practices and tools of syn-chronous design for implementations of synchronous processes on distributedarchitectures. In a GALS system, computation occurs in synchronous clustersexchanging data asynchronously via a set of communication media. Each clus-ter runs with its own clock that controls also the sampling of new values for itsinput signals. At each sampling period, some of these new values may or maynot be present, depending on the transferring latencies in the asynchronous com-munication media. Since we want to focus on the communication mechanismsat the interface between synchronous and asynchronous, our LSV definitionfor GALS systems assumes, without lack of generality, that all asynchronouscommunications can be modeled as occurring within a single media process. AGALS systemSg =
⋂Pi∈P Pi ∩E is the composition of a collectionP of com-
putation processesand onecommunication, or media, processE = (Ve, Te,Be)s.t.:
∀Pi, Pj ∈ P,(
(i = j ⇒ Pi≈Pj) ∧ (i 6= j ⇒ Pi'Pj))
, and
∀Pi = (Vi, Ti,Bi),∀b ∈ Be,(b|Vi ∈ Bi
)
Eg
Pg
Qg Rg
w1y2 z2
y1
x1 x2
z1
w2 w3
Fig. 3.GALS system for Example 5.
Each computation process is astand-alone synchronous process be-cause it runs with its own logicalclock whose occurrences are repre-sented by tags. In the general case,we assume that no relation exists be-tween the clocks of distinct computa-tion processes leaving total freedomin the implementation process. Thisis captured by saying that intersectionof their tag sets is empty (i.e., theyare pairwise asynchronous processes).Instead, a media process is not syn-chronous (because it models the com-munication latency and the sharing ofcommunication resources among processes that are pairwise asynchronous) norasynchronous (because each subset of its signals that interfaces a specific com-putation process is a synchronous sub-process). Hence, from a LSV perspective,the name globally-asynchronous locally-synchronous is justified when consid-ering the system from the viewpoint of any of its computation processes.
Example 5.The diagram below reports the unique behavior of the GALS sys-tem Sg of Figure 3, which is the result of the composition of four processesPg, Qg, Rg, andEg. ProcessPg is synchronous because all its signals are syn-chronous. The same is true for processesQg andRg separately. However, thecomposition of processesPg, Qg, andRg is not a synchronous process (no tag isshared across signals of different processes). Observe thatPg has a period twiceas fast as those ofQg andRg. ProcessesPg, Qg, andRg communicate only viathe media processEg. ProcessEg, acting as the communication environment,has subsets of its signals synchronized with signals of the other processes, but,as a stand-alone process, it is not synchronous. The signals ofEg can be parti-tioned in equivalence classes, whose members carry the same sequence of valuesat different tags (e.g., signalx2 is a “delayed” version of signalx1). We call thisrelation semantic equivalence (see Section 4.1).
tag : t0 t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t13 t14 t15 t16 t17 t18 t19 t20 t21 t22 . . .w1 : 1 ⊥ ⊥ 0 ⊥ 1 ⊥ ⊥ 0 ⊥ 1 ⊥ . . .
Pg : y2 : ⊥ 0 ⊥ 2 ⊥ ⊥ ⊥ 2 ⊥ 6 ⊥ 6 . . .z2 : ⊥ ⊥ 0 ⊥ 0 ⊥ 4 ⊥ 0 ⊥ ⊥ ⊥ . . .
w2 : 1 ⊥ 0 1 0 1 . . .Qg : x1 : 1 3 ⊥ 5 7 9 . . .
y1 : 0 2 ⊥ 2 6 6 . . .
w3 : 1 0 1 ⊥ 0 . . .Rg : x2 : 1 3 ⊥ 5 7 . . .
z1 : 0 0 4 0 ⊥ . . .
w1 : 1 ⊥ ⊥ 0 ⊥ 1 ⊥ ⊥ 0 ⊥ 1 ⊥ . . .w2 : 1 ⊥ 0 1 0 1 . . .w3 : 1 0 1 ⊥ 0 . . .x1 : 1 3 ⊥ 5 7 9 . . .
Eg : x2 : 1 3 ⊥ 5 7 . . .y1 : 0 2 ⊥ 2 6 6 . . .y2 : ⊥ 0 ⊥ 2 ⊥ ⊥ ⊥ 2 ⊥ 6 ⊥ 6 . . .z1 : 0 0 4 0 ⊥ . . .z2 : ⊥ ⊥ 0 ⊥ 0 ⊥ 4 ⊥ 0 ⊥ ⊥ ⊥ . . .
Discussion on Communication Media.Our proposal for modeling a distributedsystem with the LSV model is to use more than one signal to capture each com-munication thread between two processes. For instance, if processPg sends datato processQg, we must be able to distinguish between the sending event and thereceiving event. To do so, we need at least two signals, e.g.w1 andw2. Each newevent ofw1 is created byPg, whose overall activity of reading input events andcomputing output events proceeds according to its tag setT (Pg). Then, a newevent ofw1 causes at least a corresponding event ofw2 within the media process(more events could be necessary to model arbitrary latencies or the sharing of
communication resources). Finally, eventw2 is consumed byQg, whose activ-ity is controlled by tag setT (Qg) that has empty intersection with the tag set ofevery other synchronous processes, includingT (Pg). In synchronous systems,signal decoupling is not necessary thanks to the power of the synchronous ab-straction: all processes create and sample events at the same tags and a uniquesignalw is sufficient to express theinstantaneouscommunication2, betweenprocessP and processQ (see Example 2). Strictly asynchronous systems relyon an abstraction that is equally powerful: there is no notion of global (i.e., sys-tem) or local (i.e., process) tag set and two processes communicate by sharingsignals that are produced and sampled independently from the rest of the com-munication and computation activities in the system. The sharing of a signal inasynchronous systems represents the presence of anad-hochandshaking com-munication protocol, which is dedicated to the particular communication of, say,wa from Pa toQa: a new event forwa is created byPa only whenQa is readyto the sample it (see Example 4).
GALS and Absence. In the GALS systemSg = (Vg, Tg,Bg) of Example 5, atany given tagt ∈ Tg, for any signals ∈ Vg, one of three things can happen:
1. t 6∈ T (s) (event absence)2. t ∈ T (s) ∧ ∃e = (t, d) ∈ s | d =⊥ (value absence)3. t ∈ T (s) ∧ ∃e = (t, d) ∈ s | d 6=⊥ (presence)
From a global viewpoint, a GALS system is a system with multiple tag sets(a multi-clock system), each representing a dimension that is familiar to a syn-chronous process and extraneous to all the remaining synchronous processes.For instance, the signals of processPg do not have events at tagt1 and the sig-nals of processesQg andRg do not have events at tagt0. However, processPgdoes not “expect” an event at tagt1 nor at tagst3, t5, . . . because these are tagsthat do not belong to the tag set ofPg: they represent instants of a time dimen-sion that is completely extraneous toPg. Different meaning has the absence thatPg detects on signaly2 at t4, which is a tag belonging toT (Pg). In fact, at tagt4, Pg is looking for a significant event, but it ends up sampling the absent-valueevent (the awaited event will arrive only at tagt6, after being created by processQg) because of the latency introduced by the communication medium. This caseis typical of a GALS system, because, in a purely synchronous model, the absentvalue event is always an “expected” event. In this case, the computation can be
2 Instantaneous has to be interpreted in the sense of a process that is not “seen” by the com-putation part of the system. Communication and computation in synchronous systems neveroverlap.
affected in a substantial way sincePg can compute on the absence value eventand produce an output that is different from the one originally expected.
Deploying automatically a synchronous design on a distributed architectureentails the development of techniques for making each process robust with re-spect to absence. In other words, we ask under which conditions we can guaran-tee that sensing the absent value event when a different value was expected doesnot produce incorrect behavior or thatnot sensing an absent value event whenone is expected, does not change the behavior of the system. Section 4 discussesmethods to achieve this result.
Remark. Consider again the case of asynchronous design (see Example 4).By definition, the tag sets of any two asynchronous signalsxa, ya are disjoint.Thus, for each tag inT (xa) there is no corresponding event in signalya and viceversa. If we consider an asynchronous system with several signals, we have thatfor each event that is present in one of its signal, there are absences in all the re-maining signals. This phenomenon is so inherent to the notion of asynchronoussystem that here the notion of event absence looses its meaning: when eventsare always systematically absent, there is no point in looking for their presence!In fact, in asynchronous systems no common references exist across processesand processes cannot (and do not attempt) to detect event absence: inter-processcommunication occurs according to handshake protocols that don’t leave spacefor this kind of uncertainty.
4 Deploying Synchronous Design on Distributed Architectures
In this section, we revisit previous research that targets the implementationof a synchronous design on a distributed architecture both in software and inhardware. We introduce the definition of semantic equivalence, which providesa formal ground to establish when the behavior of a distributed implementa-tion conforms to the one of the synchronous specification. Then, we summa-rize the theory of latency-insensitive design and we present the main results onthe desynchronization of synchronous programs for distributed embedded codegeneration. Finally, we compare these two approaches and we sketch two pos-sible research avenues to combine them.
4.1 Semantic Equivalence
With the notion of semantic equivalence between processes we capture the factthat their operations produce exactly the same result from the viewpoint of anobserver watching the sequences of values of their signals.
Two signals aresemantic equivalentif they have the same sequence of val-ues after discarding the⊥ events. This is written:s ≡ s′ ⇔ F⊥[σ(s)] =
F⊥[σ(s′)]. Two behaviorsb = (s1, . . . , sM ), b′ = (s′1, . . . , s′M ) are semantic
equivalentb ≡ b′ when there exists a bijective mapψ : b 7→ b′ s.t.∀i, (si ≡ψ(s′i)). Finally, for two processesP = (V, T ,B), P ′ = (V, T ′,B′) we have:P ≡ P ′ ⇔ (∀b ∈ B,∃b′ ∈ B′ | b ≡ b′).
Similarly to flow equivalence[16], semantic equivalence indicates that twobehaviors have exactly the same sequence of present events, which, however,may be interleaved by a different number of⊥ events. Hence, we can use it tomodel implicitly the communication latency between processes: e.g., the com-munication of events fromP to Q occurs via a media processE and involvesseveral signalsup, ue1 , ue2 , . . . , , uq that belong all to the same class of seman-tic equivalence. Observe that semantic equivalence doesn’t say anything abouttags: processesP, P ′ can be semantic equivalent even ifT (P ) ∩ T (P ′) = ∅.Finally, note that it is a compositional property, in the sense that if two pairsof processes are semantic equivalent, their pairwise intersections give semanticequivalence processes, i.e. (P ≡ P ′ ∧Q ≡ Q′) ⇒ (P ∩Q ≡ P ′ ∩Q′).
Example 6.Reconsidering the systems of Examples 2 and 4, we have thatψ(w) =wa, ψ(x) = xa, ψ(y) = ya, ψ(z) = za. and, consequently:P ≡ Pa, Q ≡Qa, R ≡ Ra and, finally,P ∩ Q ∩ R ≡ Pa ∩ Qa ∩ Ra. Now, consider theGALS system of Example 5. First, observe how semantic equivalence modelsthe communication among the computation processesPg, Qg andRg via themedia processEg. For instance,{w1, w2, w3} is a semantic equivalence classrepresenting the communication fromPg to bothQg andRg. The other equiva-lence classes are{x1, x2}, {y1, y2}, and{z1, z2}. LetV ? = {w1, x1, y1, z1} bethe set of representative variables for each equivalence class and for all behav-iorsb ∈ Pg ∩Qg ∩Rg let b? = b|V ? . Then, we have thatψ′(w1) = w, ψ′(x1) =x, ψ′(y1) = y, ψ′(z1) = z, and, finally:(Pg ∩Qg ∩Rg)|V ? ≡ P ∩Q ∩R.
4.2 Latency-Insensitive Systems.
Latency-insensitive protocols [9,10] were originally proposed to address the in-terconnect delay problem in synchronous hardware design. The latency-insensi-tive design methodology takes astrict synchronoussystem specification and au-tomatically derives alatency-equivalent synchronousimplementation. This im-plementation formally operates as a synchronous system, but, practically, doesit in a looser fashion that makes it robust with respect to arbitrary, but discrete,latency variations between its processes.
A key element of a latency-insensitive protocols is the concept ofstallingevent(or, τ event), i.e. an event carrying as value the special symbolτ , as op-posed to aninformative event, i.e. an event carrying a valued in accordance
with the original specification. A stalling events is themodeling unitto rep-resent explicitly latency variations in inter-process communication, while re-maining within the boundaries of the synchronous model. Hence, we augmentdomainD with τ , while Σlat denotes the set of all sequences of elements inD ∪ {τ}. A strict signals is always present and contains only informativeevents:∀t ∈ T (s), (val(s, t) 6∈ {⊥, τ}). A stalledsignals contains at least oneτ event:(∃t ∈ T (s) | val(s, t) = τ). Similarly to the definition of operatorF⊥,we define operatorFτ : Σlat → Σ as follows:
σ′i ={σ[ti,ti](s) if σ[ti,ti](s) 6= τ
ε otherwise
Two signalss, s′ arelatency-equivalentif they have the same sequence of val-ues after discarding theτ events. This is written:s ≡τ s′ ⇔ Fτ [σ(s)] =Fτ [σ(s′)]. As for semantic-equivalence, the definition of latency-equivalenceextends to behaviors and processes. The main result of latency-insensitive de-sign follows:
Theorem 1 ([10]). If S =⋂i Pi is a strict synchronous system andS′ =
⋂i P′i
is a system of patient processes s.t.∀i (P ′i ≡τ Pi) thenS′ ≡τ S.
Informally, a patient process is able to wait an arbitrary amount of reactions foran informative event to occur at any of its inputs and, when this occurs, it reactsas if not delay passed by. Hence, patience, which is compositional, enables thecompensation of any arbitrary latency in inter-process communication. Whilepatience is generally a strong requirement to demand, eachstallable compo-nent (core process) can be made patient by generating proper interface logic(shell process) implementing the latency-insensitive protocol. A component isstallable if it can freeze its internal state for an arbitrary amount of time. In hard-ware systems, this property can be obtained through agated-clock mechanism.At each reaction, the presence of aτ event at one of the input ports of a shell/corepair means that the expected informative event is not ready yet and will be de-layed for at least another reaction. Hence, the shell logic reacts by stalling theinternal core, while emitting new stalling events on the outputs and saving theinformative events of its other input signals on internal buffers3. Once all theinformative events for that reaction finally arrive, the interface reactivates theinternal core, which progresses producing new informative events. It is impor-tant to notice that untilall informative events for a given reaction arrive, theshell logic doesnot reactivate the core process, regardless of its internal com-putational structure. In fact, the shell logic ignores this structure and sees the
3 To discuss the issue of how to determine the optimum size for these buffers or, alternatively, in-troduceback-pressureas part of the protocol goes beyond the scope of this paper (see [10,11]).
tag : t0 t1 t2 t3 t4 t5 t6 t7 . . .wl : 1 0 τ 1 0 1 τ 0 . . .
Pl : yl : 0 2 2 τ 6 6 10 τ . . .zl : 0 τ 0 4 0 τ 8 4 . . .
wl : 1 0 τ 1 0 1 τ 0 . . .Ql : xl1 : 1 3 5 τ 7 9 11 τ . . .
yl : 0 2 2 τ 6 6 10 τ . . .
wl : 1 0 τ 1 0 1 τ 0 . . .Rl : xl2 : τ 1 3 5 τ 7 9 11 . . .
zl : 0 τ 0 4 0 τ 8 4 . . .
QL
shell
QL
shell
QL
shell
PL
QL RL
wL
relaystation
yL zL
xL1 xL2
Fig. 4.The latency-insensitive system of Example 7 and its behavior.
core simply as ablock boxcomponent. This conservative approach is a conse-quence of the assumption, influenced by single-clock hardware design, that theoriginal system specification is strictly synchronous (a signal never presents a⊥event at any reaction). In Section 4.4, we discuss how to lift this assumption toextend the application of latency-insensitive design to multi-clock and softwaresystems.
Example 7.The application of latency-insensitive design to integrated circuitsprovides two main advantages: (a) it enables thea-posterioriautomatic pipelin-ing of long wires by insertion of special patient processes calledrelay sta-tions [8]; (b) it facilitates the assembly of pre-designed components, that, aslong as they are stallable, can be interfaced to the communication protocol with-out changing their internal structure. Assume that each process of Example 2 isimplemented as a distinct finite state machine on an integrated circuit and thatthe wire carrying signalx fromQ to R is the only one that has been pipelinedby introducing one relay station. Figure 4 reports the structure and the behaviorof the resulting latency-insensitive system after each process has been made pa-tient by wrapping it within a shell. Note that the system is strictly synchronous(no absent-value⊥ events occur at any tag). At the system initialization, theonly stalling event is the one at the output of the relay station because a relaystation represents a “design correction” that is extraneous to the original systemspecification, while each finite state machine is properly initialized according toit. As the behavior evolves, new stalling events are generated whenever a pro-cess must wait for a new informative event at its inputs. In fact, since the systemis cyclic [11],τ events occur periodically on each signal at the rate of1/4.
4.3 Desynchronization of Synchronous Programs.
The behavior of a synchronous system can be seen as a sequence of tuples ofevents with each tuple indexed by a tag. This is not the case for an asynchronousor a GALS system: the most one can say is that a behavior, being a tuple ofsignals, is a tuple of sequences of events. In [2,3,20],desynchronizationis de-fined as the act of discarding the synchronization barriers that delimit successivereactions in a synchronous program. Since this corresponds to filtering awaythe absent-value events, desynchronization amounts to mapping a sequence oftuples of values in domains extended with the extra value⊥ into a tuple ofsequences of present values, one sequence per each variable. The desynchro-nization abstraction is relevant because it provides a formal way to characterizethose synchronous programs that can be deployed on a distributed architecturewithout losing their semantics. As proven in [3], the notions of endochrony andisochrony are sufficient for this characterization.
Let clk(s, t) be a Boolean function denoting whether signals presents anevent at tagt or no, i.e.(clk(s, t) = 1 ⇔ val(s, t) 6= ⊥). For any processP = (V, T ,B), any tagt ∈ T , and any pair of subsetsW,W ′ s.t.W ⊂W ′ ⊆ V ,we say thatW tag-determinesW ′ at t, writtenW →t W
′, when:
∀b ∈ B,∀s ∈ b|W ′ ,(∃φ : Dt
W → {1, 0} | clk(s, t) = φ(DtW ))
whereDtW is the set of valuesval(s, t) for s ∈ b|W . Since relationW →t W
′
is stable by union overW ′ sets, there is a maximalW ′ that is tag-determinedbyW at t. Thus, for any tagt ∈ T , if V is a finite set then there is a maximalchain∅ = W0 →t W1 →t W2 →t . . . →t Wmax. A processP = (V, T ,B)is endochronouswhen∀t ∈ T , (Wmax = V ). In other words: a process isendochronous when for each tag of its behaviors the presence/absence of eventon all its signals can be inferred incrementally from the values carried by asubset of them that are guaranteed to be present at this tag.
Two processesP = (V, T ,B), P ′ = (V ′, T ′,B′) areisochronouswhen foreach behaviorsb ∈ B there is a behaviorb′ ∈ B′ (and vice versa) s.t.:
∀t ∈ T , (W ?t 6= ∅ ⇒W ?
t = W )
whereW = V ∩ V ′ andW ?t = {s ∈ W | val(b, s, t) = val(b′, s, t) 6= ⊥}. In
other words: two processes are isochronous when, at each tag, if there is a pairof shared signals that are present and agree on the event value, then for eachother pair of shared signals, either they are present and agree on their value orthey are absent.
Endochrony and isochrony allow the derivation of a key result for the auto-matic generation of distributed embedded code:if each process of a synchronous
program is endochronous and all processes are pairwise isochronous, then de-ploying the program on a GALS architecture gives a semantic-equivalent im-plementation[3]. For any processP (V, T ,B), let α(P ) denote the semanticequivalent asynchronous process that is constructed fromP by: (1) applyingtransformationF⊥[σ(s)] to each signals ∈ b, for all b ∈ B, and (2) properlyadding tags to each event ofα(P ) s.t.∀s, s′ ∈ b, (T (s) ∩ T (s′) = ∅).
Theorem 2 ([3]). Let⋂i Pi be a synchronous system such that eachPi is en-
dochronous and each pair(Pi, Pj) is isochronous. Then⋂i α(Pi) = α(
⋂i Pi).
Endochrony and isochrony can be expressed in terms of transition relations,are model checkable and synthesizable. Recall that the SIGNAL compiler han-dles the parallelism specified using synchronous composition by organizing thecomputation of signals as a collection of hierarchical trees (theclock hierarchyforest) based on the relations among their clocks. Hence, in practice, a syn-chronous program can be made endo-isochronous by adding a set of “Booleanguard” variables and a master clock to transform this forest into a tree. Thisapproach is somewhat equivalent to synthesize an inter-process communicationprotocol and carries a drawback: there is not unique solution, or, in other words,there are many possible communication protocols.
4.4 Latency-Insensitive Design and Endo-Isochrony
Several commonalities between the work on synchronous program desynchro-nization and latency-insensitive design have been already pointed out in [1].Here, we return on the topic to understand how the two approaches could becombined. First, we report a simple theoretical result.
Theorem 3. The processes of a latency-insensitive system satisfy the propertiesof endochrony and isochrony.
Proof. LetS be a latency-insensitive system. For each behavior of a processPof S, there is never a⊥ event on any signal. Thus, all signals ofP belong tothe same clock-equivalence class that coincides with the class of the activationclock ofP and their presence is always trivially established. Hence, with respectto the above definition of endochrony,Wmax = V for all tagst. This provesendochrony ofP . For the isochrony of any pair of processesP andP ′ of S, itis sufficient to notice that for each behavior ofP either there exists a behaviorof P ′ that agrees withP on the values of the events of all its signals, which areall present, or it doesn’t exists (tertium non datur). �
The previous result should not come as a surprise if we reflect on the intrin-sic differences betweenτ events and⊥ events: the former is used to maintainthe semblance of synchronous behavior while the latter represents the lack of it.
In other words, aτ event tells the process that “the awaited value is not readyyet”, whereas a⊥ event says “there is no value to wait for”. Hence, theτ mech-anism accounts for the arbitrary latency of interprocess communication whileenforcing a synchronous behavior for the distributed latency-insensitive system.Consequently, as illustrated by the diagram of Example 7,τ events never leavethe systems (unless for the particular case of acyclic systems) and a price in per-formance may be ultimately paid [11]. Instead, one may wonder whether it ispossible to derive an alternative endo-isochronous implementation of the systemof Example 7 that doesn’t rely on latency-insensitive design. In theory, this iscertainly possible but in practice it may be challenging and not necessarily ad-vantageous. This depends on the inner structure of each process in the system.In the particular case of Example 7 the result would be positive because theanalysis of the causality dependencies among the events shows that the first twoevents of output signalz do not depend on the first event of input signalxl2 , thedelayed event (see also Example 3). Hence, the endo-isochronous implemen-tation would be able toabsorbthe⊥ event (which it would see instead of theτ event seen in the corresponding latency-insensitive system) and the behaviorwould progress without further event absences.
5 Concluding Remarks
We used the tagged-signal model together with a simple “running example” toprovide a comparative view of various design approaches: synchronous, asyn-chronous, GALS, latency-insensitive, and synchronous programming. In par-ticular, we studied the interplay among the concepts of event absence, eventsampling, and communication latency in modeling distributed heterogeneousdesign. Finally, we presented a new comparison of synchronous program desyn-chronization and latency-insensitive design. The main operational differencebetween latency-insensitive design and synchronous program desynchroniza-tion can be expressed as follows: the former knows how to handleblack boxprocesses but does not know how to analyze/exploitwhite boxones (that aretreated uniformly as if they were black box processes); the latter does not knowhow to handle black box processes and must analyze the inner structure of eachwhite box process in the system (as well as the properties of each communi-cating pair), but it is clever in exploiting the information resulting from thisanalysis. These reflections naturally lead to consider two new research avenuesfor extending the work on latency-insensitive design: (1) for single-clock sys-tems, we could analyze each process that comes as a white box module andlearn its input/output causality dependencies to see if they allow us to absorbsomeτ events at given states; (2) for multi-clock systems, we could combine
the two approaches by applying hierarchically first the endo-isochronous analy-sis to handle⊥ events and, then, the latency-insensitive protocol mechanism tohandleτ events.
Acknowledgments
The collaboration with Albert Benveniste and Paul Caspi has been essential inderiving the considerations made in this paper. We gratefully acknowledge theircontributions to our on-going discussions on specification and implementationof distributed systems.
References
1. A. Benveniste. Some synchronization issues when designing embedded systems from com-ponenents. In T.A. Henzinger and C.M. Kirsch, editors,Embedded Software. Proc. of theFirst Intl. Workshop, EMSOFT 2001. Tahoe City, CA, volume 2211 ofLNCS, pages 32–49,Berlin, October 2001. Springer Verlag.
2. A. Benveniste, B. Caillaud, and P. Le Guernic. From synchrony to asynchrony. In J.C.M.Baeten and S. Mauw, editors,CONCUR’99. Concurrency Theory, 10th International Con-ference, volume 1664 ofLNCS, pages 162–177, Berlin, August 1999. Springer Verlag.
3. A. Benveniste, B. Caillaud, and P. Le Guernic. Compositionality in dataflow synchronouslanguages: specification & distributed code generation.Information and Computation,163:125–171, 2000.
4. A. Benveniste, L. P. Carloni, P. Caspi, and A. L. Sangiovanni-Vincentelli. Heterogeneousreactive systems modeling and correct-by-construction deployment. In R. Alur and I. Lee,editors,Embedded Software. Proc. of the Third Intl. Conference, EMSOFT 2003. Philadel-phia, PA, LNCS, Berlin, October 2003. Springer Verlag.
5. A. Benveniste, P. Caspi, S. Edwards, N. Halbwachs, P. Le Guernic, and R. de Simone. TheSynchronous Language Twelve Years Later.Proc. of the IEEE, 91(1):64–83, January 2003.
6. A. Benveniste and P. Le Guernic. Hybrid Dynamical Systems Theory and the Signal Lan-guage.IEEE Transactions on Automatic Control, 5:535–546, May 1990.
7. G. Berry.The Foundations of Esterel. MIT Press, 2000.8. L. P. Carloni, K. L. McMillan, A. Saldanha, and A. L. Sangiovanni-Vincentelli. A method-
ology for “correct-by-construction” latency insensitive design. InProc. Intl. Conf. onComputer-Aided Design, pages 309–315. IEEE, November 1999.
9. L. P. Carloni, K. L. McMillan, and A. L. Sangiovanni-Vincentelli. Latency insensitive proto-cols. In N. Halbwachs and D. Peled, editors,Proc. of the 11th Intl. Conf. on Computer-AidedVerification, volume 1633, pages 123–133, Trento, Italy, July 1999. Springer Verlag.
10. L. P. Carloni, K. L. McMillan, and A. L. Sangiovanni-Vincentelli. Theory of latency-insensitive design.IEEE Transactions on Computer-Aided Design of Integrated Circuitsand Systems, 20(9):1059–1076, September 2001.
11. L. P. Carloni and A. L. Sangiovanni-Vincentelli. Performance analysis and optimization oflatency insensitive systems. InProc. of the Design Automation Conf., pages 361–367. IEEE,June 2000.
12. L. P. Carloni and A. L. Sangiovanni-Vincentelli. Coping with latency in SOC design.IEEEMicro, 22(5):24–35, Sep-Oct 2002.
13. J. Cortadella, A. Kondratyev, L. Lavagno, , and C. Sotiriou. A concurrent model for de-synchronization. InProc. Intl. Workshop on Logic Synthesis, Laguna Beach, CA, May 2003.
14. S. Edwards, L. Lavagno, E. Lee, and A. Sangiovanni-Vincentelli. Design of embedded sys-tems: Formal methods, validation and synthesis.Proc. of the IEEE, 85(3):266–290, March1997.
15. A. Girault and C. Menier. Automatic production of globally asynchronous locally syn-chronous systems. In A. Sangiovanni-Vincentelli and J. Sifakis, editors,Embedded Soft-ware. Proc. of the Second Intl. Workshop, EMSOFT 2002. Grenoble, France, volume 2491of LNCS, Grenoble, France, October 2002. Springer-Verlag.
16. P. Le Guernic, J. P. Talpin, and J. C. Le Lann. Polychrony for system design.Journal forCircuits, Systems and Computers, April 2003.
17. N. Halbwachs.Synchronous Programming of Reactive Systems. Kluwer Academic Publish-ers”, 1993.
18. N. Halbwachs, P. Caspi, P. Raymond, and D. Pilaud. The synchronous data flow program-ming language LUSTRE.Proc. of the IEEE, 79(9):1305–1320, September 1991.
19. E. A. Lee and A. Sangiovanni-Vincentelli. A Framework for Comparing Models of Com-putation.IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems,17(12):1217–1229, December 1998.
20. J. P. Talpin, A. Benveniste, B. Caillaud, and P. Le Guernic. Hierachical Normal Form forDesynchronization. Technical Report 3822, IRISA, 1999.
21. J. P. Talpin, P. Le Guernic, S. K. Shukla, R. Gupta, and F. Doucet. A polychronous modelfor high-level component-based system design. InProc. European Design and Test Conf.,2003.
22. J. P. Talpin, P. Le Guernic, S. K. Shukla, R. Gupta, and F. Doucet. Polychrony for formalrefinement-checking in a system-level design methodology. InApplication of Concurrencyto System Design (ACSD’2003), 2003.
